IcedID operators spread malware through hacked Microsoft Exchange servers


Cybercriminals use compromised Microsoft Exchange servers to send spam by email and then infect computer systems with IcedID malware.

IcedID is a backdoor that allows you to install other malicious programs, including ransomware. Victims receive an encrypted ZIP file as an attachment with a password in the email text and instructions for opening the contents of the archive. This starts the loader, which deploys IcedID on the computer.

Information security specialists from FortiGuard Labs discovered an email with a malicious ZIP file sent to a Ukrainian fuel company. Compromised Microsoft Exchange servers were also used during this campaign. Malicious activity was detected in March of this year, and criminals are targeting energy, medical, legal and pharmaceutical organizations.

The attack begins with a phishing email that contains a message about an important document in an attached password-protected and password in the body of the email. This is usually necessary so that automatic scanners cannot see the contents of the ZIP archive. In addition, attackers use interception of correspondence for greater persuasiveness. The use of interception of correspondence is an effective method of social engineering that can increase the number of successful phishing attempts.

While previous campaigns used Microsoft Office documents to install malware on victims’ computers, in this campaign IcedID operators use ISO files with a Windows LNK shortcut file and a dynamic library (DLL).

The LNK file is disguised as a document, but when the user double-clicks on it, the file uses the operating system’s Regsvr32 tool to execute a DLL library that decrypts and runs IcedID. According to experts, using the Regsvr32 helps attackers avoid detection. It is a command-line program for registering and unregistrating DLL libraries and embedded controls.

Although experts do not associate this IcedID campaign with a certain cybercrime group, the Proofpoint report for June 2021 noted that the groups TA577 and TA551 prefer to use IcedID as their malware.

Start a discussion …